has anyone experience with the opnsense Captive Portal together with Let's encrypt and an external landing page? I have made a setup with Let's encrypt certficate, transparent Proxy and DNS-entry for redirecting to the Captive Portal Page on the opnsense firewall. This works very well.

But I want to use an external Page for the Captive Portal. For this I made a redirect from the local template to the external site. I have added the public IP of the external webserver to the CP settings. The external Webpage is using another Let's encrypt certificate, that is working while using a direct Request in the browser from a CP Client. But if I use the CP-functionality (redirect) on the clients device it shows me the hint that the certificate is not trusty.

DNSmasq is pointing to the public IP of the external site. I have made an Let's encrypt certificate, that works on the local portal, with an Alternative FQDN, where the Domain of the external Page is added. The Webserver has the same public IP like the opnsense WAN-Port ... or better ... they have the same DMZ. I took a second webserver with the same configuration on another public IP with the same result.

It looks like the captive portal uses the same Let's encrypt certificate (with Alternative FQDN that works under same IP) for the redirect like on the local page. Is there a solution for fixing that behavior? Or is another Solution for the https external landing available.

P.S.: Using http (without Let's encrypt) on CP-Site the CP-Client get's the untrusty hint while interacting with the external Page and the local Captive Portal for registering Client. I don't want that behavoir. This is the reason for using the Let's encrypt certificates.

I know this is a very complicated Topic. But I want to f... o.. pfsense because opnsense is the better understandable software. In pfsense it worked, because it is working with an direct redirect on the captive portal settings. But it is much more insecure.

I have found a solution by myself with. The Rediredt is now from http to https. That worked. From the https landing page, I do API calls to an https webdirectory in opnsense without using the Captive-Portal root. This is working well and I don't need more code than in the CP-Template of opnsense.